The law firm of Fenwick & West LLP organized this forum, which should be
the first of many if I'm any judge. Your humble correspondent was present
today, in "business casual" attire as requested in the invitation, in the
company of scores of lawyers who don't know the meaning of the term. The
breaking news:

The 10-member international task force
[1],
[2] that will hammer out
issues of domain-name contention has been named. Its members include
two participants in the Symposium, Sally Abel of Fenwick & West and
David Crocker of the Internet Mail Consortium and Brandenburg
Consulting. The full roster, along with the Internet Society press release
announcing the appointments, is here
[3].

Services are becoming available that will allow you to dial a local ISP
wherever you travel and connect transparently to your home ISP as if
you'd never left home. One new company dedicated to this business is the
i-Pass Alliance
[4], which acts as a broker and a back-end settlement
service for billing roamer access; another offering a similar service is
AimQuest
[5]. When an ISP signs up with i-Pass it sets up a four-way
winning scenario: its own roaming customer gets a valuable service for a
fee, and the local ISP, remote ISP, and i-Pass all share in the revenue.
The i-Pass sytem has been in field trials since June and is now
available. Some 20 ISPs worldwide have been participating in the trials,
including UUNet and BBN; also notable is Scitor ITS, which has
points-of-presence in 150 countries. (Eleven companies have announced their
involvement with the i-Pass Alliance
[6].) i-Pass's settlement servers are
distributed and redundant, with automatic failover, and each connects
to the Internet over multiple channels. If you would like to be able to
access your normal Internet provider from Timbuktu by dialing a local
number, have your ISP look at i-Pass and AimQuest.

Note added 1997-06-10: i-Pass issued a press release today announcing the addition
of 15 new ISPs and listing their current statistics. The alliance comprises 50 ISPs
with more than 1000 points of presence in 150 countries worldwide, including 628 in
North America, 133 in Asia, 200 in Europe, and 122 elsewhere. Individual ISPs set
roaming prices for their own customers, and the average charge is $4.00 USD per hour.

In September researchers at Princeton University and Bellcore announced a
new technique
[7],
differential fault analysis, for extracting secret keys
from devices such as smart cards that encrypt using RSA-like public-key
schemes. Soon others including Adi Shamir (the "S" in RSA) had extended
DFA to attack secret-key systems such as DES
[8]. By the end of the month
Shamir and coworkers had found a way to apply DFA to cryptosystems of
completely unknown design, such as the Skipjack system developed by the NSA.
The DFA technique involves damaging an encrypting device in a controlled
way and watching what kinds of mistakes it makes. The damage could be
caused by microwave heating or UV radiation, for example. This news does
not mean that RSA or DES are useless as encryption techniques. It does
mean that cryptosystems designed around them must be strenghened with DFA
in mind. Which all goes to bolster the point stressed by Bruce Schneier
in a draft essay recently circulated titled "Why Cryptogaphy is Harder Than
it Looks": we can have no confidence in the security of any cryptosystem
until it has been subjected to lengthy and detailed scrutiny by experts.
Thanks to Monty Solomon <monty at roscom dot com> for sending a steady stream of
updates on DFA.

Any machine running Windows 95 or Windows NT, or any machine at all that
runs a small piece of publicly available code, can cause targeted devices
anywhere on its connected net -- including the Internet -- to hang or
crash. The mechanism is a ubiquitous, and usually innocuous, network
service called "ping": it takes its name from what submariners do to probe
their surroundings. A system that receives a ping over the network sends
a response that means, "Yes, I'm alive." The normal size of a ping data
packet is 50 to 60 bytes. Many systems don't respond well to receiving
an extremely large ping packet, say 64K bytes. Vulnerable systems
include Unix, Macintosh, and Windows computers as well as various printers,
routers, bridges, and X terminals. Read full details on the Ping o' Death
page [9], maintained
by Mike Bremford <Mike.Bremford at bl dot uk>. No ironclad
defense exists. Firewalls can be programmed to block ping packets to
protect systems inside their perimeters, but doing so would cause some
software that relies on ping to fail. A promising variant on this approach is
to block only "fragmented" ping requests -- ones that have been broken up
to travel over a network, as the dangerous 64K pings would be. I'm afraid
the only real solution will come as manufacturers one by one implement
fixes in their operating-system and network software, and the owners of
vulnerable connected machines install upgrades -- a process that is bound
to stretch out over months and years. Nick Brown <Nick.Brown at dct dot coe dot fr>
brought this problem to the attention of Risks readers.

Researchers at the San Diego Supercomputer Center announced that they
have seen instances of a kind of attack on Unix security first described
early in 1995. At that time a CERT advisory was issued (see
[10] for the
updated version) and many vendors issued patches to fix the
vulnerability in their systems. It now develops that the "rpc.statd" attack can
have consequences more severe than first imagined, and that such attacks
have occurred on the Internet. See
[11]
for the SDSC's expansion on the
CERT advisory. Thanks to Dan Kohn <dan at teledesic dot com> for tipping this
story.

Java is taking the world of Net application development by storm, but let's
not forget that it is a young language that hasn't had the seasoning of a C,
C++, or Perl. TechWeb reports in an exclusive story
[12] that a major
Web-site development effort has encountered bugs in the current version (1.0.2)
of the Java Virtual machine that cause applications to break down under load.
JavaSoft engineers have acknowledged problems in thread scheduling and
memory management and say they are fixed in version 1.1 of the JVM, which will
not be widely available until Q1 of 1997.

On November 6 Microsoft made good on its promise to deliver the Internet
Explorer 3.0 browser cross-platform: it introduced the first beta for
Macintosh. Download the PowerPC version from
[14]. (Microsoft had
announced Mac support for the ActiveX SDK on 10/17
[15].)
IE 3.0b1 supports Java, but the release notes tell us not to expect
much stability until the next beta, because Apple's Java Virtual Machine
is itself in beta. Marimba's site
[16] offers the
following backhanded
comment about Apple's JVM. (At the next IE beta users will be able to
choose the Metrowerks JVM, which is said to be considerably more stable.)

> Bongo runs on Windows NT, Windows 95, and Solaris... Other platforms> may be supported in future releases... A Macintosh version will be> available as soon as there is a stable Java Virtual Machine for the> Macintosh.

The Microsoft browser runs in a svelte 4 MB on a PowerPC Mac, compared
to 9 MB for Netscape Navigator 3.0. To be fair the latter includes Mail
and News modules. I don't use these but Netscape doesn't give me the
option not to load them. Adding Mail and News to IE brings the required
memory to 6 MB. The browser seems fast, goes out of its way for
compatibility with Netscape's, and has some nice interface touches. I
especially like the cross-session history of visited sites, which has the same
interface as that used for bookmarks (called "favorites" in IE). IE does
not do frames but does do cascading style sheets.

I make no secret of rooting for Apple, whatever Be-comes of its OS
[17],
[18]. But give Bill Gates his due
[19],
Internet Explorer for the Mac is
a middling good piece of code. I keep it on my desktop along with
Navigator 2.02 and 3.0 Gold and I use them all at need. Even in the first beta
IE is reasonably stable -- it's crashed my machine only three times in
the last seven hours, a record I doubt could have been matched with any
beta of any version of Navigator.

Browser war update: three weeks ago the battle looked worse for Netscape
than it does today (see TBTF for 1996-10-20
[13]). By Interse's measurement
[20], in the month of October
Navigator gained 9 percentage points at IE's
expense, reversing a trend established last May. Still, one sees an
increasing number of sites
[21] marked "Best viewed with {Netscape
Navigator 3.0 button} {Microsoft Internet Explorer 3.0 button} Download today!"

Hungry for daily news about the Web? Bite into the meaty Newslinx
[22] for
a concise, bulleted summary of current news items, hand-selected by
someone with evident discernment. Now cleanse your palette on a calorie-free
exercise in pure gonzo Zen Web emptiness
[23]. For desert, a dense fudge
brownie -- Hotsheet [24] is a
single-page launch pad for four hundred or so popular destinations. Full yet?

From time to time I like to revisit the fearless predictions made in these
pages. Reality usually takes place at some angle to the prediction; such
is the lot of prognosticators. A year ago
[25] TBTF made so bold as to
advise the creator of the Internet Index. (Mr. Treese did not reply.)

> Win Treese at Open Market publishes the Internet Index on no fixed> schedule. See [26]
for past issues and source citations.>> > Percentage of advertisements containing URLs, in the first 18 pages> > of the September, 1995, issue of Scientific American: 50> > Percentage of advertisements containing toll-free telephone numbers,> > in [the same issue]: 90> >> > Number of subscribers to Internet World magazine: 208,000> > Number of subscribers to Cosmopolitan: 2.3 million> ...> Perhaps next time Mr. Treese will count the URLs in Cosmo ads. When> that index rises above 50% we'll know the era of online commerce is> at hand.

Well, the Cosmo Girl site has gone live; are we having online commerce
yet?

A consistent trend in Web demographics since the earliest measurements
has been the growing proportion of women (and girls) online. Hungry
advertisers and Web merchants are increasingly targeting female Netizens.
One result is a flurry of fashion-related pages, such as the
award-winning Fashion Internet site
[28]. Windows Magazine said in naming it
Best Overall Page, "Fashion Internet proves that a Web site can never
be too rich or too thin." (Pity they don't credit TBTF for the lips.)

Let's play Next Big Thing. Had you been a venture capitalist or an angel,
where would you have placed your bets as the Internet phenomenon gathered
itself to explode around you? My reading is that the bets were placed in
roughly this order, starting in (say) 1993:

infrastructure

wiring, plumbing (e.g. Cascade, Cisco)

ISPs (PSI, Netcom)

browsers (Netscape, Spry)

search engines (Lycos, Yahoo, Excite)

metrics (I/Pro, Interse, net.Genesis)

content (c|net, Yahoo, Excite)

locality (boston.com, CitySearch / Sidewalk)

What's next? The Red Herring in their December 1996 (sic) issue bets on
Web development tools (HAHT, Rogue Wave, Wallop, NetObjects). Maybe for
the little-i intranet, but for the Big-I I'd say watch the trend towards
personalization. This concept when applied to manufacturing has been
called "mass customization" -- a newspaper published for a readership of
one. You can experience something close at My Yahoo
[29]. After you
personalize your site, you return there at
<http://my.yahoo.com/>, with a
username and password, for the news topics, weather cities, stock quotes,
and sports scores you have chosen to see, all up to date. Firefly
[30]
takes another approach to personalization -- agents that you train. The
Red Herring profiles Firefly CEO Pattie Maes
[31], who emerged from the
MIT Media Lab to form Agents, Inc. in 1995, which changed its name to
Firefly when its Web site garnered stronger name recognition than the
parent company. (In this Firefly follows the example of Mosaic Netscape
and Architext.) Firefly's current incarnation -- agents as builders of
community -- is a technology demonstration in which you tell an agent
what you like in the way of music and movies. The agent recommends other
things you might like, based on what people who like what you like, like.
(Got it?) Red Herring says "It's an interesting site, but to recognize
in it the grander applications of Firefly's technology requires a
sympathetic imagination." Five hundred thousand people have signed up on the
Firefly network since the spring.

I've joined a new mailing list called dreamwave (see Sources below),
on which one receives early notice of promising Web sites and other
bleeding-edge stuff. Recently the list has hosted a discussion of the relative
merits of search engines new and old, meta-search sites, etc. The list
pointed me to EuroSearch
[32],
which can filter returned sites by language
(it knows 23 of them). Recently Charles Seiter of Macworld Online reviewed
a number of search engines
[33] and fingered Infoseek's Ultraseek
[34] as
the most accurate and up-to-date of the lot. Just this afternoon the
dreamwave list brought word of a new, experimental, semi-parallel, multi-engine
search site called Arfie
[35] that takes a boolean, parenthesized search
string and submits it to multiple engines, feeding each one the format it
wants. This is somewhat like SavvySearch
[36],
[37] (whose interface now
speaks, coincidentally, 23 languages), but Arfie is more general. As a test
I tried to find a Web instance of The History of the Net
[38], a fable
possibly written by Andrew Bennett of MIT's Department of Ocean Engineering.
I submitted to Arfie a syntax like "phrase 1" and "phrase 2" and "phrase 3,"
choosing phrases from the text for their unusualness. Here are the results
from 13 search engines. For this kind of search HotBot
[39] emerges a sure
winner.

>>Today's TBTF title is from the Song to David, a poem written by Christo-
> pher Smart in 1763.

>>Excite for Web Servers is the engine that once rendered the TBTF archive
> searchable by keyword or concept. The beta of EWS version 1.1 is in my
> hands and I hope to have the search function re-enabled Real Soon Now.

TBTF alerts you weekly to bellwethers in computer and communications tech-
nology, with special attention to commerce on the Internet. See the ar-
chive at <http://www.tbtf.com/>. To subscribe send the message "subscribe"
to tbtf-request@world.std.com. TBTF is Copyright 1996 by Keith Dawson,
<dawson dot tbtf at gmail dot com>. Commercial use prohibited. For non-commercial
purposes please forward and post as you see fit.
_______________________________________________
Keith Dawson dawson dot tbtf at gmail dot com
Layer of ash separates morning and evening milk.